s6-tlsclient is an UCSPI client tool for TLS/SSL connections over INET domain sockets. It establishes a TCP connection to a server and a TLS transport over it, then executes into a program.
s6-tlsclient [ options ] [ -- ] host port prog...
prog is expected to read from its peer on descriptor 6 and write to its peer on descriptor 7. Since there will be a s6-tlsc-io program between prog and the network to perform the TLS encryption/decryption, those descriptors will not be a network socket - they will be pipes.
If the -H option is not given to s6-tlsclient, then host will be used as the server name to verify. You can use the -k option to override this default. Please note that if you use the -H option and do not provide a server name via -k, SNI will not be used, which may be a security risk.
The following variables should be set before invoking s6-tlsclient, because they will be used by s6-tlsc-io:
Setting either CADIR or CAFILE is mandatory.
prog... is run with the following variables added to, or removed from, its environment by s6-tcpclient:
Unless the -Z option is given to s6-tlsclient, the CADIR, CAFILE, KEYFILE, CERTFILE, TLS_UID and TLS_GID variables will not appear in prog's environment.
s6-tlsclient accepts a myriad of options, most of which are passed as is to the correct executable. Not giving any options will generally work: the defaults are sensible.
CADIR=/etc/ssl/certs s6-tlsclient skarnet.org 443 s6-ioconnect
This will open a connection to the skarnet.org web server over TLS and verify its certificate via the trust anchors listed in the /etc/ssl/certs directory. It will then branch your terminal to it: try typing GET / HTTP/1.0 then hitting return twice.